From 94dcbd617f3d06ca294d5d151390698e4bddd2cc Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Wed, 06 Jun 2012 17:00:21 -0400
Subject: [PATCH] Implemented default access restriction (issue 88)

---
 distrib/gitblit.properties |  373 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 364 insertions(+), 9 deletions(-)

diff --git a/distrib/gitblit.properties b/distrib/gitblit.properties
index 734dddd..58833c0 100644
--- a/distrib/gitblit.properties
+++ b/distrib/gitblit.properties
@@ -2,7 +2,9 @@
 # Git Servlet Settings
 #
 
-# Base folder for repositories
+# Base folder for repositories.
+# This folder may contain bare and non-bare repositories but Gitblit will only
+# allow you to push to bare repositories.
 # Use forward slashes even on Windows!!
 # e.g. c:/gitrepos
 #
@@ -28,6 +30,92 @@
 # SINCE 0.5.0
 git.enableGitServlet = true
 
+# Only serve/display bare repositories.
+# If there are non-bare repositories in git.repositoriesFolder and this setting
+# is true, they will be excluded from the ui. 
+#
+# SINCE 0.9.0
+git.onlyAccessBareRepositories = false
+
+# The default access restriction for new repositories.
+# Valid values are NONE, PUSH, CLONE, VIEW
+#  NONE = anonymous view, clone, & push
+#  PUSH = anonymous view & clone and authenticated push
+#  CLONE = anonymous view, authenticated clone & push
+#  VIEW = authenticated view, clone, & push
+#
+# SINCE 1.0.0
+git.defaultAccessRestriction = NONE
+
+#
+# Groovy Integration
+#
+
+# Location of Groovy scripts to use for Pre and Post receive hooks.
+# Use forward slashes even on Windows!!
+# e.g. c:/groovy
+#
+# RESTART REQUIRED
+# SINCE 0.8.0
+groovy.scriptsFolder = groovy
+
+# Scripts to execute on Pre-Receive.
+#
+# These scripts execute after an incoming push has been parsed and validated
+# but BEFORE the changes are applied to the repository.  You might reject a
+# push in this script based on the repository and branch the push is attempting
+# to change.
+#
+# Script names are case-sensitive on case-sensitive file systems.  You may omit
+# the traditional ".groovy" from this list if your file extension is ".groovy" 
+#
+# NOTE:
+# These scripts are only executed when pushing to *Gitblit*, not to other Git
+# tooling you may be using.  Also note that these scripts are shared between
+# repositories. These are NOT repository-specific scripts!  Within the script
+# you may customize the control-flow for a specific repository by checking the
+# *repository* variable.
+#
+# SPACE-DELIMITED
+# CASE-SENSITIVE
+# SINCE 0.8.0
+groovy.preReceiveScripts =
+
+# Scripts to execute on Post-Receive.
+#
+# These scripts execute AFTER an incoming push has been applied to a repository.
+# You might trigger a continuous-integration build here or send a notification.
+#
+# Script names are case-sensitive on case-sensitive file systems.  You may omit
+# the traditional ".groovy" from this list if your file extension is ".groovy" 
+#
+# NOTE:
+# These scripts are only executed when pushing to *Gitblit*, not to other Git
+# tooling you may be using.  Also note that these scripts are shared between
+# repositories. These are NOT repository-specific scripts!  Within the script
+# you may customize the control-flow for a specific repository by checking the
+# *repository* variable.
+# 
+# SPACE-DELIMITED
+# CASE-SENSITIVE
+# SINCE 0.8.0
+groovy.postReceiveScripts =
+
+# Repository custom fields for Groovy Hook mechanism
+#
+# List of key=label pairs of custom fields to prompt for in the Edit Repository
+# page.  These keys are stored in the repository's git config file in the 
+# section [gitblit "customFields"].  Key names are alphanumeric only.  These
+# fields are intended to be used for the Groovy hook mechanism where a script
+# can adjust it's execution based on the custom fields stored in the repository
+# config.
+#
+# e.g. "commitMsgRegex=Commit Message Regular Expression" anotherProperty=Another
+#
+# SPACE-DELIMITED
+# SINCE 1.0.0
+groovy.customFields = 
+
 #
 # Authentication Settings
 #
@@ -50,16 +138,23 @@
 # SINCE 0.5.0
 web.allowCookieAuthentication = true
 
-# Either the path to a simple user properties file
+# Either the full path to a user config file (users.conf)
+# OR the full path to a simple user properties file (users.properties)
 # OR a fully qualified class name that implements the IUserService interface.
-# Any custom implementation must have a public default constructor.
+#
+# Alternative user services:
+#    com.gitblit.LdapUserService
+#
+# Any custom user service implementation must have a public default constructor.
 #
 # SINCE 0.5.0
 # RESTART REQUIRED
-realm.userService = users.properties
+realm.userService = users.conf
 
 # How to store passwords.
-# Valid values are plain or md5.  Default is md5.
+# Valid values are plain, md5, or combined-md5.  md5 is the hash of password.
+# combined-md5 is the hash of username.toLowerCase()+password.
+# Default is md5.
 #
 # SINCE 0.5.0 
 realm.passwordStorage = md5
@@ -69,6 +164,121 @@
 #
 # SINCE 0.5.0 
 realm.minPasswordLength = 5
+
+# URL of the LDAP server.
+#
+# SINCE 1.0.0
+realm.ldap.server = ldap://localhost
+
+# Login username for LDAP searches.
+# If this value is unspecified, anonymous LDAP login will be used.
+# 
+# e.g. mydomain\\username
+#
+# SINCE 1.0.0
+realm.ldap.username = cn=Directory Manager
+
+# Login password for LDAP searches.
+#
+# SINCE 1.0.0
+realm.ldap.password = password
+
+# The LdapUserService must be backed by another user service for standard user
+# and team management.
+# default: users.conf
+#
+# SINCE 1.0.0
+# RESTART REQUIRED
+realm.ldap.backingUserService = users.conf
+
+# Delegate team membership control to LDAP.
+#
+# If true, team user memberships will be specified by LDAP groups.  This will
+# disable team selection in Edit User and user selection in Edit Team.
+#
+# If false, LDAP will only be used for authentication and Gitblit will maintain
+# team memberships with the *realm.ldap.backingUserService*.
+#
+# SINCE 1.0.0
+realm.ldap.maintainTeams = false
+
+# Root node for all LDAP users
+#
+# This is the root node from which subtree user searches will begin.
+# If blank, Gitblit will search ALL nodes.
+#
+# SINCE 1.0.0
+realm.ldap.accountBase = OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain
+
+# Filter criteria for LDAP users
+#
+# Query pattern to use when searching for a user account. This may be any valid 
+# LDAP query expression, including the standard (&) and (|) operators.
+#
+# Variables may be injected via the ${variableName} syntax.
+# Recognized variables are:
+#    ${username} - The text entered as the user name
+#
+# SINCE 1.0.0
+realm.ldap.accountPattern = (&(objectClass=person)(sAMAccountName=${username}))
+
+# Root node for all LDAP groups to be used as Gitblit Teams
+#
+# This is the root node from which subtree team searches will begin.
+# If blank, Gitblit will search ALL nodes.  
+#
+# SINCE 1.0.0
+realm.ldap.groupBase = OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain
+
+# Filter criteria for LDAP groups
+#
+# Query pattern to use when searching for a team. This may be any valid 
+# LDAP query expression, including the standard (&) and (|) operators.
+#
+# Variables may be injected via the ${variableName} syntax.
+# Recognized variables are:
+#    ${username} - The text entered as the user name
+#    ${dn} - The Distinguished Name of the user logged in
+#
+# All attributes from the LDAP User record are available. For example, if a user
+# has an attribute "fullName" set to "John", "(fn=${fullName})" will be 
+# translated to "(fn=John)".
+#
+# SINCE 1.0.0
+realm.ldap.groupMemberPattern = (&(objectClass=group)(member=${dn}))
+
+# LDAP users or groups that should be given administrator privileges.
+#
+# Teams are specified with a leading '@' character.  Groups with spaces in the
+# name can be entered as "@team name".
+#
+# e.g. realm.ldap.admins = john @git_admins "@git admins"
+#
+# SPACE-DELIMITED
+# SINCE 1.0.0
+realm.ldap.admins = @Git_Admins
+
+# Attribute(s) on the USER record that indicate their display (or full) name.
+# Leave blank for no mapping available in LDAP.
+#
+# This may be a single attribute, or a string of multiple attributes.  Examples:
+#  displayName - Uses the attribute 'displayName' on the user record
+#  ${personalTitle}. ${givenName} ${surname} - Will concatenate the 3 
+#       attributes together, with a '.' after personalTitle
+#
+# SINCE 1.0.0
+realm.ldap.displayName = displayName
+
+# Attribute(s) on the USER record that indicate their email address.
+# Leave blank for no mapping available in LDAP.
+#
+# This may be a single attribute, or a string of multiple attributes.  Examples:
+#  email - Uses the attribute 'email' on the user record
+#  ${givenName}.${surname}@gitblit.com -Will concatenate the 2 attributes
+#       together with a '.' and '@' creating something like first.last@gitblit.com 
+#
+# SINCE 1.0.0
+realm.ldap.email = email
 
 #
 # Gitblit Web Settings
@@ -87,10 +297,52 @@
 # SINCE 0.5.0 
 web.allowAdministration = true
 
+# Allows rpc clients to list repositories and possibly manage or administer the 
+# Gitblit server, if the authenticated account has administrator permissions.
+# See *web.enableRpcManagement* and *web.enableRpcAdministration*.
+#
+# SINCE 0.7.0 
+web.enableRpcServlet = true
+
+# Allows rpc clients to manage repositories and users of the Gitblit instance,
+# if the authenticated account has administrator permissions.
+# Requires *web.enableRpcServlet=true*.
+#
+# SINCE 0.7.0 
+web.enableRpcManagement = false
+
+# Allows rpc clients to control the server settings and monitor the health of this
+# this Gitblit instance, if the authenticated account has administrator permissions.
+# Requires *web.enableRpcServlet=true* and *web.enableRpcManagement*.
+#
+# SINCE 0.7.0 
+web.enableRpcAdministration = false
+
+# Allow Gravatar images to be displayed in Gitblit pages.
+#
+# SINCE 0.8.0
+web.allowGravatar = true
+
 # Allow dynamic zip downloads.
 #
 # SINCE 0.5.0   
 web.allowZipDownloads = true
+
+# Allow optional Lucene integration. Lucene indexing is an opt-in feature.
+# A repository may specify branches to index with Lucene instead of using Git
+# commit traversal. There are scenarios where you may want to completely disable
+# Lucene indexing despite a repository specifying indexed branches.  One such
+# scenario is on a resource-constrained federated Gitblit mirror.
+#
+# SINCE 0.9.0
+web.allowLuceneIndexing = true
+
+# Use Clippy (Flash solution) to provide a copy-to-clipboard button.
+# If false, a button with a more primitive JavaScript-based prompt box will
+# offer a 3-step (click, ctrl+c, enter) copy-to-clipboard alternative.
+#
+# SINCE 0.8.0
+web.allowFlashCopyToClipboard = true
 
 # Default number of entries to include in RSS Syndication links
 #
@@ -104,18 +356,43 @@
 # SINCE 0.5.2
 web.showRepositorySizes = true
 
+# List of custom regex expressions that can be displayed in the Filters menu
+# of the Repositories and Activity pages.  Keep them very simple because you
+# are likely to run into encoding issues if they are too complex.
+#
+# Use !!! to separate the filters 
+#
+# SINCE 0.8.0
+web.customFilters =
+
 # Show federation registrations (without token) and the current pull status
 # to non-administrator users. 
 #
 # SINCE 0.6.0
 web.showFederationRegistrations = false
 
-# This is the message display above the repositories table.
+# This is the message displayed when *web.authenticateViewPages=true*.
+# This can point to a file with Markdown content.
+# Specifying "gitblit" uses the internal login message.
+#
+# SINCE 0.7.0
+web.loginMessage = gitblit
+
+# This is the message displayed above the repositories table.
 # This can point to a file with Markdown content.
 # Specifying "gitblit" uses the internal welcome message.
 #
 # SINCE 0.5.0
 web.repositoriesMessage = gitblit
+
+# Manually set the default timezone to be used by Gitblit for display in the 
+# web ui.  This value is independent of the JVM timezone.  Specifying a blank
+# value will default to the JVM timezone.
+# e.g. America/New_York, US/Pacific, UTC, Europe/Berlin
+#
+# SINCE 0.9.0
+# RESTART REQUIRED
+web.timezone =
 
 # Use the client timezone when formatting dates.
 # This uses AJAX to determine the browser's timezone and may require more
@@ -126,17 +403,28 @@
 # RESTART REQUIRED
 web.useClientTimezone = false
 
+# Time format
+# <http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html>
+#
+# SINCE 0.8.0
+web.timeFormat = HH:mm
+
 # Short date format
 # <http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html>
 #
 # SINCE 0.5.0
 web.datestampShortFormat = yyyy-MM-dd
 
+# Long date format
+#
+# SINCE 0.8.0
+web.datestampLongFormat = EEEE, MMMM d, yyyy
+
 # Long timestamp format
 # <http://download.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html>
 #
 # SINCE 0.5.0
-web.datetimestampLongFormat = EEEE, MMMM d, yyyy h:mm a z
+web.datetimestampLongFormat = EEEE, MMMM d, yyyy HH:mm Z
 
 # Mount URL parameters
 # This setting controls if pretty or parameter URLs are used.
@@ -155,7 +443,9 @@
 # to preemptively replace '/' with '*' or '!' for url string parameters.
 #
 # <https://issues.apache.org/jira/browse/WICKET-1303>
-# <http://tomcat.apache.org/security-6.html>
+# <http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10>
+# Add *-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true* to your
+# *CATALINA_OPTS* or to your JVM launch parameters
 #
 # SINCE 0.5.2
 web.forwardSlashCharacter = /
@@ -182,6 +472,12 @@
 # SINCE 0.5.0
 web.repositoryRootGroupName = main
 
+# Display the repository swatch color next to the repository name link in the 
+# repositories list. 
+#
+# SINCE 0.8.0
+web.repositoryListSwatches = true
+
 # Choose the diff presentation style: gitblt, gitweb, or plain
 #
 # SINCE 0.5.0
@@ -204,6 +500,12 @@
 # SINCE 0.5.0 
 web.generateActivityGraph = true
 
+# The number of days to show on the activity page.
+# Value must exceed 0 else default of 14 is used
+#
+# SINCE 0.8.0
+web.activityDuration = 14
+
 # The number of commits to display on the summary page
 # Value must exceed 0 else default of 20 is used
 #
@@ -223,6 +525,12 @@
 #
 # SINCE 0.5.0
 web.itemsPerPage = 50
+
+# Registered file extensions to ignore during Lucene indexing
+#
+# SPACE-DELIMITED
+# SINCE 0.9.0
+web.luceneIgnoreExtensions = 7z arc arj bin bmp dll doc docx exe gif gz jar jpg lib lzh odg odf odt pdf ppt png so swf xcf xls xlsx zip
 
 # Registered extensions for google-code-prettify
 #
@@ -269,10 +577,13 @@
 # Example global regex substitutions
 # Use !!! to separate the search pattern and the replace pattern
 # searchpattern!!!replacepattern
+# SINCE 0.5.0
 regex.global.bug = \\b(Bug:)(\\s*[#]?|-){0,1}(\\d+)\\b!!!<a href="http://somehost/bug/$3">Bug-Id: $3</a>
+# SINCE 0.5.0
 regex.global.changeid = \\b(Change-Id:\\s*)([A-Za-z0-9]*)\\b!!!<a href="http://somehost/changeid/$2">Change-Id: $2</a>
 
 # Example per-repository regex substitutions overrides global
+# SINCE 0.5.0
 regex.myrepository.bug = \\b(Bug:)(\\s*[#]?|-){0,1}(\\d+)\\b!!!<a href="http://elsewhere/bug/$3">Bug-Id: $3</a>
 
 #
@@ -301,6 +612,7 @@
 #
 # SINCE 0.6.0
 mail.username =
+# SINCE 0.6.0
 mail.password =
 
 # from address for generated emails
@@ -313,6 +625,17 @@
 # SPACE-DELIMITED
 # SINCE 0.6.0
 mail.adminAddresses = 
+
+# List of email addresses for sending push email notifications.
+#
+# This key currently requires use of the sendemail.groovy hook script.
+# If you set sendemail.groovy in *groovy.postReceiveScripts* then email
+# notifications for all repositories (regardless of access restrictions!)
+# will be sent to these addresses.
+#
+# SPACE-DELIMITED
+# SINCE 0.8.0
+mail.mailingLists =
 
 #
 # Federation Settings
@@ -391,6 +714,13 @@
 #   if unspecified, the folder is *git.repositoriesFolder*
 #   if specified, the folder is relative to *git.repositoriesFolder*
 #
+# bare:
+#   if true, each repository will be created as a *bare* repository and will not
+#   have a working directory.
+#
+#   if false, each repository will be created as a normal repository suitable
+#   for local work.
+#
 # mirror:
 #   if true, each repository HEAD is reset to *origin/master* after each pull.
 #   The repository will be flagged *isFrozen* after the initial clone.
@@ -419,6 +749,7 @@
 #federation.example1.token = 6f3b8a24bf970f17289b234284c94f43eb42f0e4
 #federation.example1.frequency = 120 mins
 #federation.example1.folder =
+#federation.example1.bare = true 
 #federation.example1.mirror = true 
 #federation.example1.mergeAccounts = true
 
@@ -438,6 +769,13 @@
 # RESTART REQUIRED
 server.useNio = true
 
+# Context path for the GO application.  You might want to change the context
+# path if running Gitblit behind a proxy layer such as mod_proxy.
+#
+# SINCE 0.7.0
+# RESTART REQUIRED
+server.contextPath = /
+
 # Standard http port to serve.  <= 0 disables this connector.
 # On Unix/Linux systems, ports < 1024 require root permissions.
 # Recommended value: 80 or 8080
@@ -453,6 +791,14 @@
 # SINCE 0.5.0
 # RESTART REQUIRED
 server.httpsPort = 8443
+
+# Port for serving an Apache JServ Protocol (AJP) 1.3 connector for integrating
+# Gitblit GO into an Apache HTTP server setup.  <= 0 disables this connector.
+# Recommended value: 8009
+#
+# SINCE 0.9.0
+# RESTART REQUIRED
+server.ajpPort = 0
 
 # Specify the interface for Jetty to bind the standard connector.
 # You may specify an ip or an empty value to bind to all interfaces.
@@ -472,6 +818,15 @@
 # RESTART REQUIRED
 server.httpsBindInterface = localhost
 
+# Specify the interface for Jetty to bind the AJP connector.
+# You may specify an ip or an empty value to bind to all interfaces.
+# Specifying localhost will result in Gitblit ONLY listening to requests to
+# localhost.
+#
+# SINCE 0.9.0
+# RESTART REQUIRED
+server.ajpBindInterface = localhost
+
 # Password for SSL keystore.
 # Keystore password and certificate password must match.
 # This is provided for convenience, its probably more secure to set this value
@@ -485,4 +840,4 @@
 #
 # SINCE 0.5.0
 # RESTART REQUIRED
-server.shutdownPort = 8081
+server.shutdownPort = 8081
\ No newline at end of file

--
Gitblit v1.9.1